test('防止XSS攻击', () => {
  const input = '<script>alert("xss")</script>';
  const sanitized = sanitizeInput(input);
  expect(sanitized).not.toContain('<script>');
});